SlideShare una empresa de Scribd logo

Resg2010 key

R
RESGWorkshop
TecnologíaEducación
1 de 38
Descargar para leer sin conexión
Towards Usable Secure Requirements Engineering with IRIS Shamal Faily University of Oxford
How rational are security and usability requirements? Stapes USB Combination Lock PGP (no longer available)
HCI can help
HCI can help Ethno- Methodology Contextual Interaction Design Programming Activity Theory User Grounded Centered Design Design Task Analysis Participative Usage Design Centered Design Value- Centered HCI Horses for courses?
HCI can help Ethno- Methodology s? Contextual Interaction t Design en Programming Activity m Theory re User ui Grounded Centered q Design Design re e th Task t Participative Usage ou Analysis Design Centered ab Design Value- Centered t ha HCI W Horses for courses?
HCI can help Ethno- Methodology s? Contextual Interaction W s t Design en Programming Activity m ha u Theory re User t a ri ui Grounded Centered q Design Design re bo ? ec e th ut Task t Participative Usage ou Analysis ty Design th Centered ab Design Value- Centered e t ha HCI W Horses for courses?
It’s just an engineering problem? “there are many tensions that engineers have still not begun to explore. For example, ease of use is a priority in control systems design, and security usability is known to be hard. Will we see conflicts between security and safety usability? As a typical plant operator earns less than $40,000, the ‘Homer Simpson’ problem is a real one. How do we design security that Homer can use safely?” Anderson, R., Fuloria, S. Security Economics and Critical National Infrastruture. In Eighth Workshop on the Economics of Information Security (WEIS 2009). 2009
Current problems • How do we represent different environments?
Current problems • How do we represent different environments? Confidentiality: High Accountability: High Office after security awareness seminar
Current problems • How do we represent different environments? Availability : High 6 PM Friday and running for the train
Current problems • How do we represent different environments? Availability : Low Availability : Low 8.15 AM Monday - on the train to work
Current problems
Current problems • Values and Context BEING HUMAN HUMAN-COMPUTER INTERACTION IN THE YEAR 2020
Current problems • Values and Contextfor lack of industrial uptake! Reasons • Goals
Current problems • Values and Contextfor lack of industrial uptake! Reasons • Goals ts? en m re ui q re e th t ou ab t ha W
Current problems • Values and Contextfor lack of industrial uptake! Reasons • Goals W ts? en ha cu m re t a ri ui se q ebo ty? reut tth th ou e ab t ha W
Some Good News • Environments and Contexts of Use Environment User Task Affordance Object
Some Good News Elicit Validate & Scope Analyse Empirical / Specify Manage Problem Problem Conceptual System System Domain Concerns Data Evolution
Some Good News ts? en m re qui re Elicit Validate & Scope Analyse Empirical / Specify Manage he Problem Problem Conceptual tt System System Domain Concerns Data Evolution ou t ab ha W
What is IRIS? A framework for specifying software systems that are secure for their contexts of use. Context of Use Goal Task Persona Misuse 1..* 1..* Case Threat 1..* 1 1..* Motive Accept Transfer Mitigate * * *Response 1..* Persona Asset* 1..* Attacker* Task * 1..* Capability 1..* * 1 * 11 1 * 1..* * Risk * * Response Goal Risk 1..* * Environment 1* * 1..* Asset * * Scenario * * 1 1 * * 1 1..* * 1..* Threat * Vulnerability Requirement Vulnerability * * 1* 4 Countermeasure * 1..* 1..* 1..*1..* Misuse Usability * Misuse Asset Case Attribute Countermeasure Case * Attacker * * Obstacle * 1..4 Security 0..4 Attribute A Meta-Model for Usable Secure Requirements Engineering
What is IRIS? A framework for specifying software systems that are secure for their contexts of use. Empirical Data Participant data Context of Use Goal Establish Task Persona Scope Misuse 1..* 1..* Case Threat 1..* 1 1..* CAIRIS Motive Accept Transfer Mitigate * * *Response 1..* Persona Database Asset* 1..* Attacker Task * * 1..* Capability 1..* * 1 * 11 1 * Investigate 1..* * Risk * * Response Goal Risk 1..* * Environment 1* * 1..* Asset * Contexts * Scenario * * 1 1 * * 1 1..* * 1..* Threat * Vulnerability Requirement Vulnerability * * 1* 4 Countermeasure * 9*,*"(2+. NeuroGrid data upload/data download Requirements Specification 1..* 1..* i Requirements %2().1(4",*45"923(&2*+"+*,* %2().1(4",*45"7?&2*+"+*,* 1..*1..* Misuse Usability * :&'). !"" !"#$%&&'$()*)$+(',+-+'#*'.%/"#0"), !"" !"" #"" Misuse Asset Case Attribute Countermeasure Workshops 12(#+,'$()*)$+(',+-+'-#'.%/"#0"), !$$#"" !"#$%&'()*+,-.'(%#/-#00+** 3#4*(#+,'+*+(5&)&',+-+ ;%$/"%',+-+'+*+(5&)& !$$#"" ;%$/"%'4#"?@#4'&/A7)&&)#* Case * Attacker * %&'.(,"32154,*,'2( :(*&;4'4"+*,* !$$#"" %&'(')*&"+*,* -215<23 * * 1..4 Obstacle !$$#"" 12(#+,'+/-8#")&+-)#* 6*#*57)&%',+-+ ;%$/"%',+-+'-"+*&7)&&)#* .%/"#0"),'2#"-+('+$$%&& 3#4*(#+,'+/-8#")&+-)#* 3.4(2',A*5(*))/ "45($-.-$&$ !$$#"" Security 0..4 93<= 93<> -./0/1234.1 !<= !<> .%/"#0"),'/&%"'+/-8#")&+-)#* 9%"-):$+-%')*&-+((+-)#* %2().1(4"2/4,*)&."%.1,'8)*,."4=*1'(> Attribute 1+(%)20#%+-*&#()"3 !"" 1'"%('/-4+5-5('4*+( ADC'.(+,6*28+B./(1)<,!)/+(742+),@44)11 1*+/-8#")&%,'2#"-+('+$$%&& !2/.' :(#$,$/#"%-0+(%)20#%+-#../)0#%)'" !!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33 &#% NeuroGrid data upload/data download Requirements Specification !"" #"" &#$ E)9#9/.-1)/ 3.4(2',)*5(*))/(*5 25*1, 12(#+,',+-+ !"" !""" &./+2' 6*28+B./(1)<,!)/+(742+),@44)11 ".-*'.2<,<2+2 !"" !"" &)/1.*2',4)/+(742+) !'()*+,-./01+2+(.* 74.1"%.1,'8)*,. 621,*& 6.142(*&").1,'8)*,. 9%"-):$+-%'&8+")*B 9#*-"#('4%A'A"#4&%" F"+/,/(+*-'$%"-):$+-%'+22()$+-)#* !!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33 6(7#5($-.-$&$ [unresolved 61)/,!)/+(742+) @*2';1(1,<2+2 8945(*&."#$%&'()*+,-./,)&*01$&,.211,++ !)/+(742+),89(:8(+; >*?(1(9'),!.'')5) /$)(5 6C'.2<,<2+2 C;;'DE2(#)- 1*+--%*,%,'4#"?&-+-)#*'+$$%&& !)/+(742+),1B2/(*5 contexts] 677-89./')% !"#%%+",+,-4'(;*%#%)'"-#00+** !'(*(42',<2+2 !"#$ !"#% &2/+(2',2*.*;=(12+(.* A Meta-Model for Models Requirements Documentation Usable Secure Requirements Design Method Tool-support Engineering
Relevant Concepts
Requirements Engineering Requirements GORE (KAOS) User- Centered Scenarios Relevant Misuse-Cases Security Requirements Design Personas Concepts Meta-Models Engineering Risk Environments Analysis Tasks Responsibility Modelling Information HCI Security
Example: Modifying PLC Software • Programmable Logic Controllers (PLC) control clean and waste water processes. • Modifications may be made under duress. • Accidental or deliberate errors can be catastrophic.
Example: Modifying PLC Software • Programmable Logic Controllers (PLC) control clean and waste water processes. • Modifications may be made under duress. • Accidental or deliberate errors can be catastrophic. © Reed Business Information 2010
Scoping the Problem Domain Sys Admin Configuration Data SCADA HMI Data • Planned and Unplanned Software Repository Portal PLC Software Telemetry Environments Software VPN Corporate Network Laptop Access PC Software Repository Manager Instrument Technician
Persona building
Persona building Empirical data Grounded Theory Affinity Modelling Organisational Context Characteristics Technology Planned Unplanned Governance (3) change (11) change (3) Demarcation (6) Role Organisational responsibility (8) norms (34) Supporting Tacit Knowledge Roles Learned Site knowledge Configuration Sub-contractor Commissioning experience (13) (7) knowledge (7) support (5) (6) Tool knowledge Backup norms (13) (24) Vulnerability Threat Physical security Tool clunkiness Petty theft (4) Vandalism (2) Task fatigue (5) perception (6) (9) Technical Social Network Remote access PLC insider (1) engineering (3) availability (4) (6) proliferation (4) Multiple Legacy concern changers (2) (12)
Persona building
Workshop Walkthrough
Workshop Walkthrough • Persona Validation Alan • “There’s a lot of ignorance out there” • Conscious of vulnerabilities arising from complex tools. • Hopes the repository will encourage a standardised approach to software changes and backups. Wednesday, 16 December 2009
Workshop Walkthrough • Persona Validation • Asset Modelling
Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis
Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis • Goal Modelling
Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis • Goal Modelling • Requirements Specification
Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis • Goal Modelling • Requirements Specification • Risk Analysis
Observations • A natural process to participants. • Modelling environments increases participant sensitivity to them. • Risk Analysis is more about the destination than the journey. • We can’t replace creativity, but we can help innovation.
Thank you for listening! • Any questions? Acknowledgements This research was funded by the EPSRC CASE Studentship R07437/ CN001. We are also grateful to Qinetiq Ltd for their sponsorship of this work.

Recomendados

Becoming a UX Practitioner
Becoming a UX PractitionerBecoming a UX Practitioner
Becoming a UX Practitionerrachelache
 
Mlearn2009 [kompatibilitási mód]
Mlearn2009 [kompatibilitási mód]Mlearn2009 [kompatibilitási mód]
Mlearn2009 [kompatibilitási mód]Gábor Kismihók
 
Ontology Based Content Management in a Mobilized LearningEnvironment
Ontology Based Content Management in a Mobilized LearningEnvironmentOntology Based Content Management in a Mobilized LearningEnvironment
Ontology Based Content Management in a Mobilized LearningEnvironmentCorvinno Technology Transfer Center Nonprofit Public Ltd.
 
Designing collaborative processes for requirements
Designing collaborative processes for requirementsDesigning collaborative processes for requirements
Designing collaborative processes for requirementsRESGWorkshop
 
Oil Price Fundamentals
Oil Price FundamentalsOil Price Fundamentals
Oil Price FundamentalsNikolaos Kontinakis
 
Kris
KrisKris
KrisRESGWorkshop
 
Resg pres apr10
Resg pres apr10Resg pres apr10
Resg pres apr10RESGWorkshop
 
Oil Price Drivers
Oil Price DriversOil Price Drivers
Oil Price DriversNikolaos Kontinakis
 

Recomendados

Becoming a UX Practitioner
Becoming a UX PractitionerBecoming a UX Practitioner
Becoming a UX Practitionerrachelache
 
Mlearn2009 [kompatibilitási mód]
Mlearn2009 [kompatibilitási mód]Mlearn2009 [kompatibilitási mód]
Mlearn2009 [kompatibilitási mód]Gábor Kismihók
 
Ontology Based Content Management in a Mobilized LearningEnvironment
Ontology Based Content Management in a Mobilized LearningEnvironmentOntology Based Content Management in a Mobilized LearningEnvironment
Ontology Based Content Management in a Mobilized LearningEnvironmentCorvinno Technology Transfer Center Nonprofit Public Ltd.
 
Designing collaborative processes for requirements
Designing collaborative processes for requirementsDesigning collaborative processes for requirements
Designing collaborative processes for requirementsRESGWorkshop
 
Oil Price Fundamentals
Oil Price FundamentalsOil Price Fundamentals
Oil Price FundamentalsNikolaos Kontinakis
 
Kris
KrisKris
KrisRESGWorkshop
 
Resg pres apr10
Resg pres apr10Resg pres apr10
Resg pres apr10RESGWorkshop
 
Oil Price Drivers
Oil Price DriversOil Price Drivers
Oil Price DriversNikolaos Kontinakis
 
Why UX Design Needs Content Strategy
Why UX Design Needs Content StrategyWhy UX Design Needs Content Strategy
Why UX Design Needs Content StrategyKaren McGrane
 
Becoming a ux practitioner
Becoming a ux practitionerBecoming a ux practitioner
Becoming a ux practitionerRachelHollowgrass
 
モバイル夜間大学 UCDプロセス-enjoji_100721
モバイル夜間大学 UCDプロセス-enjoji_100721モバイル夜間大学 UCDプロセス-enjoji_100721
モバイル夜間大学 UCDプロセス-enjoji_100721Hitoshi Enjoji
 
IA Summit 2013 Closing Plenary
IA Summit 2013 Closing PlenaryIA Summit 2013 Closing Plenary
IA Summit 2013 Closing PlenaryKaren McGrane
 
We are all content strategists now
We are all content strategists nowWe are all content strategists now
We are all content strategists nowKaren McGrane
 
Service Design
Service Design Service Design
Service Design Francesco Sardu
 
Avoiding the 11th Hour Sh*storm at SxSW
Avoiding the 11th Hour Sh*storm at SxSWAvoiding the 11th Hour Sh*storm at SxSW
Avoiding the 11th Hour Sh*storm at SxSWKaren McGrane
 
The Many Facets of UX Design
The Many Facets of UX DesignThe Many Facets of UX Design
The Many Facets of UX DesignJonathan Lupo
 
Developing Successful Content Management Solutions
Developing Successful Content Management SolutionsDeveloping Successful Content Management Solutions
Developing Successful Content Management SolutionsKaren McGrane
 
20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...
20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...
20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...Tatsunori Hara
 
Sigdial poster mpowers_final
Sigdial poster mpowers_finalSigdial poster mpowers_final
Sigdial poster mpowers_finalMarianne Laurent
 
Envision Overview
Envision OverviewEnvision Overview
Envision OverviewHugh Hofmeister
 
Flotree customer centered vision
Flotree customer centered visionFlotree customer centered vision
Flotree customer centered visionDave Flotree
 
The CCA Leading By Design Fellows Program
The CCA Leading By Design Fellows ProgramThe CCA Leading By Design Fellows Program
The CCA Leading By Design Fellows Programswissnex San Francisco
 
Etch Group
Etch GroupEtch Group
Etch GroupDan Oxnam
 
Experience design
Experience designExperience design
Experience designTim Ostler
 
Prem project interaction final
Prem project interaction finalPrem project interaction final
Prem project interaction finalPrem Chandran
 
A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...
A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...
A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...Boris Villazón-Terrazas
 
Manisha Gupta's Portfolio
Manisha Gupta's PortfolioManisha Gupta's Portfolio
Manisha Gupta's Portfolioguptamanisha84
 
6th Wave member Trento Health & Well Being Territorial Lab
6th Wave member Trento Health & Well Being Territorial Lab6th Wave member Trento Health & Well Being Territorial Lab
6th Wave member Trento Health & Well Being Territorial LabEuropean Network of Living Labs (ENoLL)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Más contenido relacionado

Similar a Resg2010 key

Why UX Design Needs Content Strategy
Why UX Design Needs Content StrategyWhy UX Design Needs Content Strategy
Why UX Design Needs Content StrategyKaren McGrane
 
モバイル夜間大学 UCDプロセス-enjoji_100721
モバイル夜間大学 UCDプロセス-enjoji_100721モバイル夜間大学 UCDプロセス-enjoji_100721
モバイル夜間大学 UCDプロセス-enjoji_100721Hitoshi Enjoji
 
IA Summit 2013 Closing Plenary
IA Summit 2013 Closing PlenaryIA Summit 2013 Closing Plenary
IA Summit 2013 Closing PlenaryKaren McGrane
 
We are all content strategists now
We are all content strategists nowWe are all content strategists now
We are all content strategists nowKaren McGrane
 
Avoiding the 11th Hour Sh*storm at SxSW
Avoiding the 11th Hour Sh*storm at SxSWAvoiding the 11th Hour Sh*storm at SxSW
Avoiding the 11th Hour Sh*storm at SxSWKaren McGrane
 
The Many Facets of UX Design
The Many Facets of UX DesignThe Many Facets of UX Design
The Many Facets of UX DesignJonathan Lupo
 
Developing Successful Content Management Solutions
Developing Successful Content Management SolutionsDeveloping Successful Content Management Solutions
Developing Successful Content Management SolutionsKaren McGrane
 
20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...
20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...
20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...Tatsunori Hara
 
Sigdial poster mpowers_final
Sigdial poster mpowers_finalSigdial poster mpowers_final
Sigdial poster mpowers_finalMarianne Laurent
 
Flotree customer centered vision
Flotree customer centered visionFlotree customer centered vision
Flotree customer centered visionDave Flotree
 
The CCA Leading By Design Fellows Program
The CCA Leading By Design Fellows ProgramThe CCA Leading By Design Fellows Program
The CCA Leading By Design Fellows Programswissnex San Francisco
 
Experience design
Experience designExperience design
Experience designTim Ostler
 
Prem project interaction final
Prem project interaction finalPrem project interaction final
Prem project interaction finalPrem Chandran
 
A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...
A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...
A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...Boris Villazón-Terrazas
 
Manisha Gupta's Portfolio
Manisha Gupta's PortfolioManisha Gupta's Portfolio
Manisha Gupta's Portfolioguptamanisha84
 

Similar a Resg2010 key (20)

Why UX Design Needs Content Strategy
Why UX Design Needs Content StrategyWhy UX Design Needs Content Strategy
Why UX Design Needs Content Strategy
 
Becoming a ux practitioner
Becoming a ux practitionerBecoming a ux practitioner
Becoming a ux practitioner
 
モバイル夜間大学 UCDプロセス-enjoji_100721
モバイル夜間大学 UCDプロセス-enjoji_100721モバイル夜間大学 UCDプロセス-enjoji_100721
モバイル夜間大学 UCDプロセス-enjoji_100721
 
IA Summit 2013 Closing Plenary
IA Summit 2013 Closing PlenaryIA Summit 2013 Closing Plenary
IA Summit 2013 Closing Plenary
 
We are all content strategists now
We are all content strategists nowWe are all content strategists now
We are all content strategists now
 
Service Design
Service Design Service Design
Service Design
 
Avoiding the 11th Hour Sh*storm at SxSW
Avoiding the 11th Hour Sh*storm at SxSWAvoiding the 11th Hour Sh*storm at SxSW
Avoiding the 11th Hour Sh*storm at SxSW
 
The Many Facets of UX Design
The Many Facets of UX DesignThe Many Facets of UX Design
The Many Facets of UX Design
 
Developing Successful Content Management Solutions
Developing Successful Content Management SolutionsDeveloping Successful Content Management Solutions
Developing Successful Content Management Solutions
 
20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...
20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...
20120725 "Value Co-creation in Tourism" in the 1st Conference on Human side o...
 
Sigdial poster mpowers_final
Sigdial poster mpowers_finalSigdial poster mpowers_final
Sigdial poster mpowers_final
 
Envision Overview
Envision OverviewEnvision Overview
Envision Overview
 
Flotree customer centered vision
Flotree customer centered visionFlotree customer centered vision
Flotree customer centered vision
 
The CCA Leading By Design Fellows Program
The CCA Leading By Design Fellows ProgramThe CCA Leading By Design Fellows Program
The CCA Leading By Design Fellows Program
 
Etch Group
Etch GroupEtch Group
Etch Group
 
Experience design
Experience designExperience design
Experience design
 
Prem project interaction final
Prem project interaction finalPrem project interaction final
Prem project interaction final
 
A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...
A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...
A Method for Reusing and Re-engineering Non-ontological Resources for Buildin...
 
Manisha Gupta's Portfolio
Manisha Gupta's PortfolioManisha Gupta's Portfolio
Manisha Gupta's Portfolio
 
6th Wave member Trento Health & Well Being Territorial Lab
6th Wave member Trento Health & Well Being Territorial Lab6th Wave member Trento Health & Well Being Territorial Lab
6th Wave member Trento Health & Well Being Territorial Lab
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Resg2010 key

  • 1. Towards Usable Secure Requirements Engineering with IRIS Shamal Faily University of Oxford
  • 2. How rational are security and usability requirements? Stapes USB Combination Lock PGP (no longer available)
  • 4. HCI can help Ethno- Methodology Contextual Interaction Design Programming Activity Theory User Grounded Centered Design Design Task Analysis Participative Usage Design Centered Design Value- Centered HCI Horses for courses?
  • 5. HCI can help Ethno- Methodology s? Contextual Interaction t Design en Programming Activity m Theory re User ui Grounded Centered q Design Design re e th Task t Participative Usage ou Analysis Design Centered ab Design Value- Centered t ha HCI W Horses for courses?
  • 6. HCI can help Ethno- Methodology s? Contextual Interaction W s t Design en Programming Activity m ha u Theory re User t a ri ui Grounded Centered q Design Design re bo ? ec e th ut Task t Participative Usage ou Analysis ty Design th Centered ab Design Value- Centered e t ha HCI W Horses for courses?
  • 7. It’s just an engineering problem? “there are many tensions that engineers have still not begun to explore. For example, ease of use is a priority in control systems design, and security usability is known to be hard. Will we see conflicts between security and safety usability? As a typical plant operator earns less than $40,000, the ‘Homer Simpson’ problem is a real one. How do we design security that Homer can use safely?” Anderson, R., Fuloria, S. Security Economics and Critical National Infrastruture. In Eighth Workshop on the Economics of Information Security (WEIS 2009). 2009
  • 8. Current problems • How do we represent different environments?
  • 9. Current problems • How do we represent different environments? Confidentiality: High Accountability: High Office after security awareness seminar
  • 10. Current problems • How do we represent different environments? Availability : High 6 PM Friday and running for the train
  • 11. Current problems • How do we represent different environments? Availability : Low Availability : Low 8.15 AM Monday - on the train to work
  • 13. Current problems • Values and Context BEING HUMAN HUMAN-COMPUTER INTERACTION IN THE YEAR 2020
  • 14. Current problems • Values and Contextfor lack of industrial uptake! Reasons • Goals
  • 15. Current problems • Values and Contextfor lack of industrial uptake! Reasons • Goals ts? en m re ui q re e th t ou ab t ha W
  • 16. Current problems • Values and Contextfor lack of industrial uptake! Reasons • Goals W ts? en ha cu m re t a ri ui se q ebo ty? reut tth th ou e ab t ha W
  • 17. Some Good News • Environments and Contexts of Use Environment User Task Affordance Object
  • 18. Some Good News Elicit Validate & Scope Analyse Empirical / Specify Manage Problem Problem Conceptual System System Domain Concerns Data Evolution
  • 19. Some Good News ts? en m re qui re Elicit Validate & Scope Analyse Empirical / Specify Manage he Problem Problem Conceptual tt System System Domain Concerns Data Evolution ou t ab ha W
  • 20. What is IRIS? A framework for specifying software systems that are secure for their contexts of use. Context of Use Goal Task Persona Misuse 1..* 1..* Case Threat 1..* 1 1..* Motive Accept Transfer Mitigate * * *Response 1..* Persona Asset* 1..* Attacker* Task * 1..* Capability 1..* * 1 * 11 1 * 1..* * Risk * * Response Goal Risk 1..* * Environment 1* * 1..* Asset * * Scenario * * 1 1 * * 1 1..* * 1..* Threat * Vulnerability Requirement Vulnerability * * 1* 4 Countermeasure * 1..* 1..* 1..*1..* Misuse Usability * Misuse Asset Case Attribute Countermeasure Case * Attacker * * Obstacle * 1..4 Security 0..4 Attribute A Meta-Model for Usable Secure Requirements Engineering
  • 21. What is IRIS? A framework for specifying software systems that are secure for their contexts of use. Empirical Data Participant data Context of Use Goal Establish Task Persona Scope Misuse 1..* 1..* Case Threat 1..* 1 1..* CAIRIS Motive Accept Transfer Mitigate * * *Response 1..* Persona Database Asset* 1..* Attacker Task * * 1..* Capability 1..* * 1 * 11 1 * Investigate 1..* * Risk * * Response Goal Risk 1..* * Environment 1* * 1..* Asset * Contexts * Scenario * * 1 1 * * 1 1..* * 1..* Threat * Vulnerability Requirement Vulnerability * * 1* 4 Countermeasure * 9*,*"(2+. NeuroGrid data upload/data download Requirements Specification 1..* 1..* i Requirements %2().1(4",*45"923(&2*+"+*,* %2().1(4",*45"7?&2*+"+*,* 1..*1..* Misuse Usability * :&'). !"" !"#$%&&'$()*)$+(',+-+'#*'.%/"#0"), !"" !"" #"" Misuse Asset Case Attribute Countermeasure Workshops 12(#+,'$()*)$+(',+-+'-#'.%/"#0"), !$$#"" !"#$%&'()*+,-.'(%#/-#00+** 3#4*(#+,'+*+(5&)&',+-+ ;%$/"%',+-+'+*+(5&)& !$$#"" ;%$/"%'4#"?@#4'&/A7)&&)#* Case * Attacker * %&'.(,"32154,*,'2( :(*&;4'4"+*,* !$$#"" %&'(')*&"+*,* -215<23 * * 1..4 Obstacle !$$#"" 12(#+,'+/-8#")&+-)#* 6*#*57)&%',+-+ ;%$/"%',+-+'-"+*&7)&&)#* .%/"#0"),'2#"-+('+$$%&& 3#4*(#+,'+/-8#")&+-)#* 3.4(2',A*5(*))/ "45($-.-$&$ !$$#"" Security 0..4 93<= 93<> -./0/1234.1 !<= !<> .%/"#0"),'/&%"'+/-8#")&+-)#* 9%"-):$+-%')*&-+((+-)#* %2().1(4"2/4,*)&."%.1,'8)*,."4=*1'(> Attribute 1+(%)20#%+-*&#()"3 !"" 1'"%('/-4+5-5('4*+( ADC'.(+,6*28+B./(1)<,!)/+(742+),@44)11 1*+/-8#")&%,'2#"-+('+$$%&& !2/.' :(#$,$/#"%-0+(%)20#%+-#../)0#%)'" !!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33 &#% NeuroGrid data upload/data download Requirements Specification !"" #"" &#$ E)9#9/.-1)/ 3.4(2',)*5(*))/(*5 25*1, 12(#+,',+-+ !"" !""" &./+2' 6*28+B./(1)<,!)/+(742+),@44)11 ".-*'.2<,<2+2 !"" !"" &)/1.*2',4)/+(742+) !'()*+,-./01+2+(.* 74.1"%.1,'8)*,. 621,*& 6.142(*&").1,'8)*,. 9%"-):$+-%'&8+")*B 9#*-"#('4%A'A"#4&%" F"+/,/(+*-'$%"-):$+-%'+22()$+-)#* !!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33 6(7#5($-.-$&$ [unresolved 61)/,!)/+(742+) @*2';1(1,<2+2 8945(*&."#$%&'()*+,-./,)&*01$&,.211,++ !)/+(742+),89(:8(+; >*?(1(9'),!.'')5) /$)(5 6C'.2<,<2+2 C;;'DE2(#)- 1*+--%*,%,'4#"?&-+-)#*'+$$%&& !)/+(742+),1B2/(*5 contexts] 677-89./')% !"#%%+",+,-4'(;*%#%)'"-#00+** !'(*(42',<2+2 !"#$ !"#% &2/+(2',2*.*;=(12+(.* A Meta-Model for Models Requirements Documentation Usable Secure Requirements Design Method Tool-support Engineering
  • 23. Requirements Engineering Requirements GORE (KAOS) User- Centered Scenarios Relevant Misuse-Cases Security Requirements Design Personas Concepts Meta-Models Engineering Risk Environments Analysis Tasks Responsibility Modelling Information HCI Security
  • 24. Example: Modifying PLC Software • Programmable Logic Controllers (PLC) control clean and waste water processes. • Modifications may be made under duress. • Accidental or deliberate errors can be catastrophic.
  • 25. Example: Modifying PLC Software • Programmable Logic Controllers (PLC) control clean and waste water processes. • Modifications may be made under duress. • Accidental or deliberate errors can be catastrophic. © Reed Business Information 2010
  • 26. Scoping the Problem Domain Sys Admin Configuration Data SCADA HMI Data • Planned and Unplanned Software Repository Portal PLC Software Telemetry Environments Software VPN Corporate Network Laptop Access PC Software Repository Manager Instrument Technician
  • 28. Persona building Empirical data Grounded Theory Affinity Modelling Organisational Context Characteristics Technology Planned Unplanned Governance (3) change (11) change (3) Demarcation (6) Role Organisational responsibility (8) norms (34) Supporting Tacit Knowledge Roles Learned Site knowledge Configuration Sub-contractor Commissioning experience (13) (7) knowledge (7) support (5) (6) Tool knowledge Backup norms (13) (24) Vulnerability Threat Physical security Tool clunkiness Petty theft (4) Vandalism (2) Task fatigue (5) perception (6) (9) Technical Social Network Remote access PLC insider (1) engineering (3) availability (4) (6) proliferation (4) Multiple Legacy concern changers (2) (12)
  • 31. Workshop Walkthrough • Persona Validation Alan • “There’s a lot of ignorance out there” • Conscious of vulnerabilities arising from complex tools. • Hopes the repository will encourage a standardised approach to software changes and backups. Wednesday, 16 December 2009
  • 32. Workshop Walkthrough • Persona Validation • Asset Modelling
  • 33. Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis
  • 34. Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis • Goal Modelling
  • 35. Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis • Goal Modelling • Requirements Specification
  • 36. Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis • Goal Modelling • Requirements Specification • Risk Analysis
  • 37. Observations • A natural process to participants. • Modelling environments increases participant sensitivity to them. • Risk Analysis is more about the destination than the journey. • We can’t replace creativity, but we can help innovation.
  • 38. Thank you for listening! • Any questions? Acknowledgements This research was funded by the EPSRC CASE Studentship R07437/ CN001. We are also grateful to Qinetiq Ltd for their sponsorship of this work.